
Key facts.
- Memory poisoning is a distinct, demonstrated risk: malicious content written to persistent memory influences future sessions, and a query-only attack reaches 76.8% attack success and 98.2% injection success (MINJA, 2025).
- MINJA poisons an agent's memory via query-only interaction, reaching 76.8% attack success and 98.2% injection success, so the threat is demonstrated on real agents (MINJA, 2025).
- Corrupted state is inherited by every downstream step, so one bad write skews many later decisions.
Why is persistent memory harder to secure than a single turn?
Because the attack and the damage are separated in time. An attacker poisons the memory in one session, and the harmful action happens days later, in a clean-looking session, triggered by the stored content. There is no obvious link between the two. Securing this means treating memory writes as a trust boundary: validate what gets stored, attach provenance to memory entries, and re-check stored content before acting on it, rather than trusting memory just because it came from a past version of the agent.

Trusted memory vs. validated memory
| Trusted memory | Validated memory |
|---|---|
| Anything written is believed later | Memory writes validated at the boundary |
| Poison persists silently | Stored content carries provenance |
| Attack and damage look unrelated | Stored content re-checked before use |
A persistent agent that wrote a malicious instruction to memory carries the incident forward, and a more capable model inherits the store: MINJA poisons it at 76.8%. (arXiv:2503.03704)
VibeModel's Pattern Intelligence Layer treats memory as a surface to watch: it flags when stored content steers an agent toward an action that does not fit its history, the signature of a poisoned memory surfacing. You validate what gets written and attach provenance; we catch the moment old memory starts driving new behavior. Persistence is useful, and it needs the same suspicion you give any input.
Frequently asked questions
Should I just make agents stateless?
Where you can, it removes the risk. Where memory adds real value, validate writes and re-check stored content before acting on it.
How do I detect a poisoned memory?
Watch for stored content that pushes the agent toward out-of-pattern actions, and keep provenance so you can trace a memory back to where it came from.

